New Research Reveals Google Wallet Unsafe

It's been a bad week for Google. First, researcher Joshua Rubin from zvelo revealed a quick, simple brute force technique to extract the Google Wallet PIN from a rooted phone. Then a blog called The Smartphone Champ revealed that even if the phone isn't rooted, a thief could gain access to funds in the Google Wallet prepaid card by wiping Google Wallet settings and running setup again. Google responded by suspending new prepaid cards, but pointed out that rooting a phone capable of running Google Wallet will necessarily wipe all its data. Today Rubin demonstrated that it is in fact possible to achieve root privilege on such a phone without wiping the data. Sorry, Google!

I caught a subtle whiff of this possibility in a weekend post on the Google Commerce Blog by Osama Bedier, Vice President, Google Wallet and Payments. This post stated that "in most cases, rooting your phone will cause your Google Wallet data to be automatically wiped from the device." That's a slight step back from Google's earlier contention that there is no way to root a Wallet-compatible phone without wiping the data.

Escalation of PrivilegeRubin's latest post includes full details but remains understandable for any interested user. To start, he points out that there are different ways to attain root privilege on a smartphone. The most common technique involves unlocking the bootloader, but on the Nexus line of phones, unlocking the bootloader automatically wipes all data.

However, Rubin's Google Wallet Cracker doesn't require literally unlocking the bootloader. All it needs to do is break down the sandbox walls that keep one application from accessing another's data by elevating the current user's privilege level.

Rubin's post links to specific vulnerabilities that are present in the current operating system used by Nexus phones, along with a proof-of-concept hack based on one such vulnerability. He tested the exploit code and verified that it gave the current user root privilege without wiping the Google Wallet PIN or any other data. And, as he points out, it's quite likely that even after this vulnerability gets patched, others will surface.

What Does It Mean?In response to the initial warning, Google (and Rubin) advised users to never, ever run Google Wallet on a rooted phone. This new evidence shows that even if you don't root your phone, a thief could root it ex post facto and steal your funds.

Google and Rubin also both advised users to employ a screen lock of some kind. A simple PIN may not be sufficient. At last summer's Black Hat conference, security expert Dino Dai Zovi offered a list of estimated times to guess different levels of PIN codes. The time to crack a 4-digit numeric pin? Eighteen minutes. Fortunately, as Rubin pointed out, after each handful of bad guesses Android inserts a delay before allowing any more.

There are other ways to gain access to a phone even when a screen lock is active. Rubin explained to me exactly how USB Debugging could be used to get shell access to the device. I'm not going print the details here—no need to make it easy for the bad guys—but trust me; you must turn off USB Debugging.

It's also true that if you inadvertently install a malicious app that includes a privilege escalation exploit, your PIN may have been cracked already. Fortunately that PIN does absolutely no good unless the malware coder somehow connects with the thief who has physical possession of the phone.

Musing on what it would take to gain access through varying levels of security, Rubin concluded that a full password lock and full encryption should be sufficient to keep out the toughest hacker.

Convenience LostGoogle touts Google Wallet as much more convenient than conventional credit cards. Just wave your phone near the PayPass reader and presto! You've paid the bill. Unfortunately, protection powerful enough to block any possibility of PIN cracking cuts down the convenience factor.

Rubin concludes that power users will continue to root their devices and software vulnerabilities aren't going away. Kernel based privilege isolation isn't secure enough to protect "extremely sensitive data like that contained in Google Wallet." Probably Google's best way out of this dilemma will involve navigating some thorny legal issues that currently prevent them from storing the PIN inside the inaccessible Secure Element that holds data like the full credit card number. Let's hope they succeed.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//Stay Connected

Get Product Reviews, Deals, & the Latest News from PCMag

sign up

Plus, get a free copy of PCMag for your iPhone or iPad today.

Offer valid for new PCMag app downloads only. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy.

THANK YOU FOR SUBSCRIBING!

Please follow this link (or search for the PC Magazine app on your iPad or iPhone) to get your free issue. Offer valid for new app downloads.

//Featured Programs

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service